Description
This article describes how to add new firewalls to already existing policy package and the usage of Install On option.
Scope
FortiManager.
Important.
Do not import Policy Package from the FortiGate into the existing Policy Package with Install On option!
This will remove the Install On targets from the package and replace it with the existing policy package of the imported FortiGate.
Solution
Add FortiGates to the FortiManager.
Only authorize units to do not import policy packages.
(On the screenshots, it is possible to see that FortiGates have different policies)
At this step, it is possible to see that FortiManager does not have the custom policy related objects in its database yet.
Import policy package from the FortiGate with the most policies and name the package using the name of the shared policy package, this is simplify adding the rest of the policies that are missing later on.
Afterwards import the policy package for the rest of the FortiGates in a differently named packages other than the shared one will be used later.
There is no need to care about the name as these are only dummy policy packages that will be removed afterwards.
The goal of this is to retrieve custom objects that are on the FortiGates and update them into FortiManagers database, so that, it is possible than create the package without any obstructions or having to create objects manually for the Firewall Policies later on.
(Hint: Create ADOM revision before starting with the shared package as this may serve as return point in case of issues).
(While adjusting the policies in FortiManager, no installation is performed on the firewall so it is not necessary to worry about any change on the FortiGates)
Next step, it is necessary to move the policies from one package to the other so that the missing policies of the secondary firewalls are present in the main policy package.
Create the missing policies in the SHARED Policy Package.
Since the firewall has been imported in a dummy policy package, the objects present will be present in the FortiManager database.
Ensure that the new policy is under the 'SAME' policy and above 'Implicit Deny' policy.
In this case, due to install on targets FortiManager will ignore other policies and will take in consideration only order for those installed on for the same unit.
In this example, 1st will be SAME and DIFFERENT will be 2nd .
After this, add installation target under 'SHARED' policy package.
(Do not remove the installation target from the DUMMY_PACKAGE yet).
Proceed with adding Install On targets in the package.
(Notice policy SAME has both targets as it is common in both packages).
After successfully adding all the targets install the 'SHARED' policy package on both FortiGates.
A different sequence number will be visible in installation preview, however once installed it will correlate correctly to what you have on both FortiGates.
Lastly, remove the DUMMY_PACKAGE Installation Target.
